Malware Analysis Report

2024-09-09 16:06

Sample ID 240724-w6vfzsteqa
Target 6c57f764b48f9cb115020af71341dc5d_JaffaCakes118
SHA256 f15ac5b6f7dd2d62adb480d65f9570e4c6ad438bdc98231344292536987d3454
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f15ac5b6f7dd2d62adb480d65f9570e4c6ad438bdc98231344292536987d3454

Threat Level: Known bad

The file 6c57f764b48f9cb115020af71341dc5d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata

Irata payload

Irata family

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-24 18:32

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 18:32

Reported

2024-07-24 18:35

Platform

android-x86-arm-20240624-en

Max time kernel

6s

Max time network

139s

Command Line

ir.hmh.PeaceLiveWallpaper_1

Signatures

N/A

Processes

ir.hmh.PeaceLiveWallpaper_1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cafebazaar.ir udp
IR 185.166.104.4:443 cafebazaar.ir tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/ir.hmh.PeaceLiveWallpaper_1/files/optimize

MD5 b326b5062b2f0e69046810717534cb09
SHA1 5ffe533b830f08a0326348a9160afafc8ada44db
SHA256 b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
SHA512 9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

/data/data/ir.hmh.PeaceLiveWallpaper_1/cache/1

MD5 1ddf15ad9155983b9f892bc48c81a5b4
SHA1 4dc6a8eb00a25de31ec255fddd303442c1b2a08d
SHA256 0b72742b449ae1d7f5c2845f937d5b27cdb8470f517b5b3be3619bc6eeeca447
SHA512 67ec7cb1a8b6c0ae3a7b48e3fe571a1782fd273a114ffb497ea58cdf34c1d87a6996d810e99e3867685fa6be85782d83a271cbc9d8a381af616a7973f0d72708

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 18:32

Reported

2024-07-24 18:35

Platform

android-x64-20240624-en

Max time network

167s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
GB 173.194.76.188:5228 tcp
GB 172.217.169.42:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.200.10:443 g.tenor.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.180.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-24 18:32

Reported

2024-07-24 18:35

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

ir.hmh.PeaceLiveWallpaper_1

Signatures

N/A

Processes

ir.hmh.PeaceLiveWallpaper_1

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cafebazaar.ir udp
IR 185.166.104.4:443 cafebazaar.ir tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/ir.hmh.PeaceLiveWallpaper_1/cache/1

MD5 1ddf15ad9155983b9f892bc48c81a5b4
SHA1 4dc6a8eb00a25de31ec255fddd303442c1b2a08d
SHA256 0b72742b449ae1d7f5c2845f937d5b27cdb8470f517b5b3be3619bc6eeeca447
SHA512 67ec7cb1a8b6c0ae3a7b48e3fe571a1782fd273a114ffb497ea58cdf34c1d87a6996d810e99e3867685fa6be85782d83a271cbc9d8a381af616a7973f0d72708